MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43a30f28b31265a8bfcb084c9095a84139c3fac46f3f2ea55fcb78880609fbca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43a30f28b31265a8bfcb084c9095a84139c3fac46f3f2ea55fcb78880609fbca
SHA3-384 hash: fd74930a5af4358bcb87a2ce4e35202c9e773841b58572115d87c36fc2acc206bc26c92d1a89abed60709a11e11aa985
SHA1 hash: 842428d47d16ef1f8ade0c48441c35e6bae112a1
MD5 hash: 2a4a2a81d7b64912b929d4ecfa94e2a6
humanhash: papa-tennis-carbon-harry
File name:2A4A2A81D7B64912B929D4ECFA94E2A6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:272'896 bytes
First seen:2021-08-19 20:25:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32eca4427f106c548c06ec4f87d7efd7 (4 x Smoke Loader, 1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 3072:88svNt2s/gTH77qA0lHGo5kQVJ25OdMv8G1xbeRfRVIBN4URuQQuKT0yB3m4nY:Kt2NTb+A0lvxVI5OdnG3bzW3l+4
TLSH T16944E1213792D177D19706300461FBE09ABABE42FB21C65B6B953A2F5F713C0963638B
dhash icon 7368dc347498f12e (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.135.32.61/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.135.32.61/ https://threatfox.abuse.ch/ioc/192233/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2A4A2A81D7B64912B929D4ECFA94E2A6.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 20:31:25 UTC
Tags:
trojan stealer raccoon opendir evasion loader
Link:
https://app.any.run/tasks/0fea88ea-e4be-42a9-b345-af66ef36cb49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180794/
Detection(s):
Win.Dropper.Jaik-9886586-0
Create hunting rule

Win.Malware.Generic-9886591-0
Create hunting rule

Win.Malware.Glupteba-9886621-1
Create hunting rule

Win.Packed.Generic-9886967-0
Create hunting rule

Win.Packed.Generic-9887016-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Connection attempt to an infection source
Sending an HTTP POST request
Creating a file
Sending a UDP request
Reading critical registry keys
Sending a custom TCP request
Delayed reading of the file
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d031588-7398-4cc1-9533-5a0d84e42342
Result
Threat name:
Clipboard Hijacker Cryptbot Raccoon
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836055
Signature
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Delayed program exit found
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample or dropped binary is a compiled AutoHotkey binary
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Autohotkey Downloader Generic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Evader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468486 Sample: 20QHSZ6ecn.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 100 hypercustom.top 2->100 102 fYkRnLiyNmVjHRcBr.fYkRnLiyNmVjHRcBr 2->102 124 Multi AV Scanner detection for domain / URL 2->124 126 Malicious sample detected (through community Yara rule) 2->126 128 Antivirus detection for URL or domain 2->128 130 8 other signatures 2->130 10 20QHSZ6ecn.exe 25 2->10         started        signatures3 process4 dnsIp5 118 hypercustom.top 194.87.236.205, 49734, 49735, 49768 MTW-ASRU Russian Federation 10->118 120 sarfri06.top 45.130.151.13, 49728, 49729, 49730 MARKTELRU Russian Federation 10->120 122 4 other IPs or domains 10->122 82 C:\Users\user\AppData\...\57768501457.exe, PE32 10->82 dropped 84 C:\Users\user\AppData\...\21878704636.exe, PE32 10->84 dropped 86 C:\Users\user\AppData\...\16668480373.exe, PE32 10->86 dropped 88 6 other files (none is malicious) 10->88 dropped 144 Detected unpacking (changes PE section rights) 10->144 146 May check the online IP address of the machine 10->146 15 cmd.exe 1 10->15         started        18 cmd.exe 1 10->18         started        20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        file6 signatures7 process8 signatures9 148 Obfuscated command line found 15->148 24 16668480373.exe 80 15->24         started        29 conhost.exe 15->29         started        31 21878704636.exe 47 18->31         started        33 conhost.exe 18->33         started        35 57768501457.exe 1 20->35         started        37 conhost.exe 20->37         started        39 conhost.exe 22->39         started        41 taskkill.exe 22->41         started        process10 dnsIp11 104 telete.in 195.201.225.248, 443, 49732 HETZNER-ASDE Germany 24->104 106 34.135.32.61, 49733, 80 ATGS-MMD-ASUS United States 24->106 70 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 24->70 dropped 72 C:\Users\user\AppData\...\vcruntime140.dll, PE32 24->72 dropped 74 C:\Users\user\AppData\...\ucrtbase.dll, PE32 24->74 dropped 80 56 other files (none is malicious) 24->80 dropped 132 Detected unpacking (changes PE section rights) 24->132 134 Tries to steal Mail credentials (via file access) 24->134 136 Contains functionality to steal Internet Explorer form passwords 24->136 43 cmd.exe 24->43         started        108 knuxiq42.top 94.140.112.10, 49749, 80 TELEMACHBroadbandAccessCarrierServicesSI Latvia 31->108 110 195.123.222.54, 49756, 80 ITLDC-NLUA Bulgaria 31->110 116 2 other IPs or domains 31->116 76 C:\Users\user\AppData\Local\Temp\Filett.exe, PE32 31->76 dropped 78 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 31->78 dropped 138 Tries to harvest and steal browser information (history, passwords, etc) 31->138 45 Filett.exe 31->45         started        48 cmd.exe 31->48         started        112 192.168.2.1 unknown unknown 35->112 114 iplogger.org 35->114 140 May check the online IP address of the machine 35->140 142 Sample or dropped binary is a compiled AutoHotkey binary 35->142 50 WerFault.exe 35->50         started        52 WerFault.exe 35->52         started        54 WerFault.exe 35->54         started        56 WerFault.exe 35->56         started        file12 signatures13 process14 file15 58 conhost.exe 43->58         started        60 timeout.exe 43->60         started        90 C:\Users\user\AppData\Local\Temp\...\frey.exe, PE32 45->90 dropped 92 C:\Users\user\AppData\Local\Temp\...\vts.exe, PE32 45->92 dropped 94 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 45->94 dropped 96 3 other files (none is malicious) 45->96 dropped 62 frey.exe 45->62         started        66 vts.exe 45->66         started        68 conhost.exe 48->68         started        process16 file17 98 C:\Users\user\AppData\...\SmartClock.exe, PE32 62->98 dropped 150 Detected unpacking (changes PE section rights) 62->150 152 Delayed program exit found 62->152 signatures18
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43a30f28b31265a8bfcb084c9095a84139c3fac46f3f2ea55fcb78880609fbca/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 00:10:48 UTC
AV detection:
36 of 47 (76.60%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iorq6kftcjs2rp6lbbgjbfniie44h6wen47s5jk7zn4iqbqj7pfa._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot family:raccoon botnet:00bdd6858c3856861f0d81937643f61ec7429443 botnet:4 banker discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/210819-ldl6z2c94e/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Danabot
Danabot Loader Component
Raccoon
Malware Config
C2 Extraction:
knuxiq42.top
morumd04.top
23.229.29.48:443
152.89.247.31:443
192.210.222.81:443
Unpacked files
SH256 hash:
5611b86e01c303eac6b897543cff7e8b18aede57ec06718f9299b1eb6effe1a9
MD5 hash:
7c53fec6f3157c3eb5301e9ff42f1478
SHA1 hash:
5e490a803db58958e7fc6392a3e4dda2dc3874c3
Link:
https://www.unpac.me/results/36ca13ef-aa2a-4396-a58f-14d74c5a5b05/
SH256 hash:
43a30f28b31265a8bfcb084c9095a84139c3fac46f3f2ea55fcb78880609fbca
MD5 hash:
2a4a2a81d7b64912b929d4ecfa94e2a6
SHA1 hash:
842428d47d16ef1f8ade0c48441c35e6bae112a1
Link:
https://www.unpac.me/results/36ca13ef-aa2a-4396-a58f-14d74c5a5b05/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43a30f28b31265a8bfcb084c9095a84139c3fac46f3f2ea55fcb78880609fbca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_AHK_Downloader
Create hunting rule
Author:ditekSHen
Description:Detects AutoHotKey binaries acting as second stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_RedLineDropperAHK
Create hunting rule
Author:ditekSHen
Description:Detects AutoIt/AutoHotKey executables dropping RedLine infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180794/

Comments